Should spies use secret software vulnerabilities?

The attack took advantage of a vulnerability in the Windows operating system that the federal government had been aware of for years but had chosen not to tell Microsoft about until just months before the WannaCry attack began. That history and the potential for more releases in the coming weeks have intensified the debate around how governments and spy agencies should act when they discover weaknesses in computer software.

In May, a hacker or hacking group released a piece of malicious software using “EternalBlue” to hijack computers, encrypt the data on them and charge victims a ransom to restore access to their information.

If the NSA had told Microsoft about the flaw five years ago, things could have unfolded differently. In particular, users could have had much more time to update their software – which would have substantially increased the number of people protected against the vulnerability.

Using ‘zero days’

The most serious cyberattacks are those that use previously unknown vulnerabilities. They are called “zero day” exploits because the developers had no time to fix it before trouble began, and nobody is protected. The NSA may know of hundreds, or even thousands, of them. Spy agencies of other countries, including China, Russia, Iran and North Korea, are also working to find zero-day vulnerabilities.

Using these vulnerabilities can be effective. For instance, the NSA used four zero-day vulnerabilities as part of a series of cyberattacks on Iran’s nuclear enrichment sites. That effort, officially code-named “Olympic Games,” created the program known to the public as “Stuxnet,” which damaged about 1,000 centrifuges and may have helped force Iran to negotiate with the U.S. about its nuclear program.